Homoglyph-Based Phishing Campaigns Target Booking[.]com and Intuit Users
Researchers have uncovered a phishing campaign that utilizes the Japanese hiragana character “ん” to disguise malicious URLs as those of legitimate travel booking or tax service websites. In certain fonts, the character resembles “/n” or “/~,” allowing attackers to embed it in a URL so it appears to be part of a trusted site’s directory structure. Victims receive emails posing as travel confirmations or tax notices that link to attacker-controlled domains where the ‘ん’ characters obscure the true address. Once clicked, these links redirect to malicious infrastructure hosting MSI installers delivered through content delivery networks. The installers initiate infection chains capable of deploying infostealers or remote access trojans, enabling credential theft and long-term system compromise. This abuse of homoglyphs—characters that visually resemble others from different scripts—has been observed in prior homograph attacks and is effective at bypassing casual URL inspection. The campaigns often tailor emails to the theme, using “Confirm booking” prompts for travel-related lures or “Verify tax information” messages during tax season. Many are optimized for mobile viewing, with narrow layouts that encourage quick clicks on action buttons without careful inspection. In some cases, accessing the malicious link outside the original email context may redirect to a legitimate travel or tax service page, masking the attack during casual review. This redirection tactic helps the phishing pages evade suspicion and lengthens their operational lifespan. The combination of typographic deception and social engineering significantly increases the likelihood of user interaction and successful compromise. Mitigation includes hovering over links to verify their proper destination, checking the rightmost domain segment before the first forward slash, and maintaining updated endpoint security capable of detecting and blocking malware downloads following a phishing link click.
Critical RCE in Cisco Secure Firewall Management Center RADIUS
Cisco has disclosed CVE-2025-20265, a maximum-severity vulnerability affecting the RADIUS subsystem in Secure Firewall Management Center (FMC) software. The flaw impacts FMC versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled for the web-based management interface, SSH management, or both. Due to improper input handling during the RADIUS authentication phase, an unauthenticated remote attacker could send specially crafted credential input that injects and executes arbitrary shell commands on the FMC with elevated privileges. Once exploited, the attacker would gain full administrative control over the FMC appliance, allowing for configuration changes, the creation of rogue administrator accounts, the alteration of firewall policies, or the deployment of malicious code to managed devices. Since FMC is often integrated with RADIUS in enterprise and government environments for centralized access control and accounting, the risk extends to high-value and sensitive networks. Cisco identified this flaw through internal security testing, and no in-the-wild exploitation has been confirmed as of the advisory’s publication. However, the unauthenticated and remote nature of the vulnerability makes it highly attractive for opportunistic and targeted threat actors if left unpatched. Cisco has issued patched software versions that fully remediate the issue, available at no cost to customers with valid service agreements. Organizations unable to immediately apply the updates are advised to disable RADIUS authentication and adopt alternative authentication mechanisms, such as local user accounts, LDAP, or SAML single sign-on. These changes should be ensured to be compatible with operational requirements before implementation. While this workaround blocks the attack vector, it should be considered temporary until the permanent fix is deployed. Administrators should also restrict management interface exposure to trusted IP ranges or management networks, enforce strong access control lists (ACLs), and continuously monitor authentication and system logs for anomalous activity. Given the potential for full FMC compromise and downstream impact on all connected firewalls, prompt patching combined with network segmentation and vigilant monitoring provides the strongest defense against CVE-2025-20265.
CrossC2 Extends Cobalt Strike Beacon to Linux and macOS in Targeted Intrusions
Japan’s CERT Coordination Center (JPCERT/CC) has reported a campaign between September and December 2024 in which threat actors leveraged CrossC2, an unofficial extension of Cobalt Strike, to bring the Beacon’s post-exploitation capabilities to Linux and macOS. Analysis of VirusTotal artifacts revealed activity spanning multiple countries, with attackers also utilizing custom malware to infiltrate Active Directory environments. Central to the intrusion was a bespoke Cobalt Strike Beacon loader dubbed ReadNimeLoader, written in the Nim programming language. This loader was deployed via a scheduled task configured to launch the legitimate java[.]exe process, which was abused to sideload the malicious jli[.]dll. Upon execution, ReadNimeLoader reads a text file entirely in memory and uses it to load OdinLdr, an open-source shellcode loader. OdinLdr then decodes and executes the embedded Cobalt Strike Beacon in memory, ensuring no payload is written to disk. JPCERT/CC noted infrastructure and file-naming overlaps between this activity and BlackSuit/Black Basta ransomware operations observed by Rapid7 in June 2025, suggesting either a shared operator or the exchange of tooling. The campaign also featured several ELF variants of SystemBC, a backdoor commonly deployed before Cobalt Strike or ransomware to establish persistence and facilitate C2 traffic routing. CrossC2’s use enabled the attackers to extend their foothold into Linux servers within internal networks, a significant concern since many Linux systems lack endpoint detection and response (EDR) tooling, making them stealthy pivot points for lateral movement. By enabling full Beacon command execution on Linux and macOS, the attackers gained the ability to execute arbitrary commands, stage additional payloads, and coordinate multi-platform control during post-exploitation phases. Recommended mitigations include deploying EDR or equivalent monitoring across all operating systems, auditing scheduled tasks for unauthorized entries, restricting sideloading opportunities for signed binaries, and blocking C2 infrastructure tied to CrossC2 operations.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
